Contents of /trunk/pam/patches/pam-0.80-CAN-2005-2977.patch
Parent Directory
| 
Revision Log
Revision 153 -
(show annotations)
(download)
Tue May 8 20:52:56 2007 UTC (17 years ago) by niro
File size: 3148 byte(s)
Tue May 8 20:52:56 2007 UTC (17 years ago) by niro
File size: 3148 byte(s)
-import
| 1 | When you set SELinux to permissive mode or the policy doesn't prevent |
| 2 | running unix_chkpwd as regular user it is possible to use unix_chkpwd |
| 3 | for checking any user's passwords from a regular user account. |
| 4 | |
| 5 | Because there is no delay and logging in unix_chkpwd it allows easy |
| 6 | brute-force attacks on passwords in /etc/shadow which probably |
| 7 | won't get noticed by administrator. |
| 8 | |
| 9 | This patch prevents this unwanted behaviour and also adds logging. |
| 10 | |
| 11 | --- Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c.only-root 2005-10-07 18:40:47.000000000 +0200 |
| 12 | +++ Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c 2005-10-17 00:23:50.000000000 +0200 |
| 13 | @@ -119,6 +119,13 @@ |
| 14 | } |
| 15 | } |
| 16 | } |
| 17 | + |
| 18 | + if (SELINUX_ENABLED && geteuid() == 0) { |
| 19 | + /* must set the real uid to 0 so the helper will not error |
| 20 | + out if pam is called from setuid binary (su, sudo...) */ |
| 21 | + setuid(0); |
| 22 | + } |
| 23 | + |
| 24 | /* exec binary helper */ |
| 25 | args[0] = x_strdup(CHKPWD_HELPER); |
| 26 | args[1] = x_strdup(user); |
| 27 | --- Linux-PAM-0.77/modules/pam_unix/support.c.only-root 2005-10-07 18:40:47.000000000 +0200 |
| 28 | +++ Linux-PAM-0.77/modules/pam_unix/support.c 2005-10-07 18:40:47.000000000 +0200 |
| 29 | @@ -620,6 +620,13 @@ |
| 30 | close(i); |
| 31 | } |
| 32 | } |
| 33 | + |
| 34 | + if (SELINUX_ENABLED && geteuid() == 0) { |
| 35 | + /* must set the real uid to 0 so the helper will not error |
| 36 | + out if pam is called from setuid binary (su, sudo...) */ |
| 37 | + setuid(0); |
| 38 | + } |
| 39 | + |
| 40 | /* exec binary helper */ |
| 41 | args[0] = x_strdup(CHKPWD_HELPER); |
| 42 | args[1] = x_strdup(user); |
| 43 | --- Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c.only-root 2005-10-07 18:40:47.000000000 +0200 |
| 44 | +++ Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c 2005-10-17 00:24:20.000000000 +0200 |
| 45 | @@ -268,6 +268,13 @@ |
| 46 | close(i); |
| 47 | } |
| 48 | } |
| 49 | + |
| 50 | + if (SELINUX_ENABLED && geteuid() == 0) { |
| 51 | + /* must set the real uid to 0 so the helper will not error |
| 52 | + out if pam is called from setuid binary (su, sudo...) */ |
| 53 | + setuid(0); |
| 54 | + } |
| 55 | + |
| 56 | /* exec binary helper */ |
| 57 | args[0] = x_strdup(CHKPWD_HELPER); |
| 58 | args[1] = x_strdup(user); |
| 59 | --- Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c.only-root 2005-10-07 18:40:47.000000000 +0200 |
| 60 | +++ Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c 2005-10-07 18:40:47.000000000 +0200 |
| 61 | @@ -466,13 +466,12 @@ |
| 62 | } |
| 63 | |
| 64 | /* |
| 65 | - * determine the current user's name is. |
| 66 | - * On a SELinux enabled system, policy will prevent third parties from using |
| 67 | - * unix_chkpwd as a password guesser. Leaving the existing check prevents |
| 68 | - * su from working, Since the current uid is the users and the password is |
| 69 | - * for root. |
| 70 | + * Determine what the current user's name is. |
| 71 | + * On a SELinux enabled system with a strict policy leaving the |
| 72 | + * existing check prevents shadow password authentication from working. |
| 73 | + * We must thus skip the check if the real uid is 0. |
| 74 | */ |
| 75 | - if (SELINUX_ENABLED) { |
| 76 | + if (SELINUX_ENABLED && getuid() == 0) { |
| 77 | user=argv[1]; |
| 78 | } |
| 79 | else { |
| 80 | @@ -534,6 +533,7 @@ |
| 81 | /* return pass or fail */ |
| 82 | |
| 83 | if ((retval != PAM_SUCCESS) || force_failure) { |
| 84 | + _log_err(LOG_NOTICE, "password check failed for user (%s)", user); |
| 85 | return PAM_AUTH_ERR; |
| 86 | } else { |
| 87 | return PAM_SUCCESS; |
| 88 | |
| 89 |